Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Advice on a second VPN to a DMZ

I was to follow this cisco example of configuring a Lan-to-Lan VPN:

hostname(config)# interface ethernet0

hostname(config-if)# ip address 10.10.4.100 255.255.0.0

hostname(config-if)# no shutdown

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0

150.150.0.0 255.255.0.0

hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l

hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes

hostname(config-ipsec)# pre-shared-key xxx

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.4.108

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

If I later on need to set up a new tunnel group to, let's say a dmz on the one of the hosts, do I need to redo the isakmp policy part for every new connection or is adding a new tunnel group and a new access-list enough?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Advice on a second VPN to a DMZ

Yup if you want to keep same values then u dont need to redo the isakmp part infact u can use the same transform set.

all u need to add tunnel groups,access lists and crypto map with sequence number 2,3 and so on with different peers and acl.

Regards

1 REPLY
New Member

Re: Advice on a second VPN to a DMZ

Yup if you want to keep same values then u dont need to redo the isakmp part infact u can use the same transform set.

all u need to add tunnel groups,access lists and crypto map with sequence number 2,3 and so on with different peers and acl.

Regards

111
Views
0
Helpful
1
Replies
CreatePlease to create content